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The present invention is concerned with systems and methods for using a mobile telephone to automatically log a computer user onto 
a computer system. A subscriber identification module (SIM) is introduced to the computer system so that the computer system associates 
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MOBELE TELEPHONE AUTO PC LOGON 

RELATED APPLICATIONS 

This application is related to, and claims priority from U.S. Provisional 
Patent Application Serial No. 60/109,691, entitled "Mobile Phone Auto PC 
Logon", filed on November 24, 1998, the disclosure of which is incorporated here 
by reference. 

P A C KG RQ UN P 

The Global System for Mobile communication (GSM) describes a European 
standard for radiocommunication utilized by the corresponding Public Land 
Mobile Networks (PLMNs) in the region and in many other countries, which 
standard is intended to provide uniformity so that users can access 
radiocommunication systems throughout Europe and many other countries with 
minimal equipment compatibility problems. 

In order for mobile telephones to operate in cellular telephone systems, the 
user of the mobile telephone must have a subscription with a network provider. In 
GSM systems, the mobile telephone is identified as having a subscription with a 
network provider through the use of a subscriber identity module (SIM). The SIM 
is a "smart card" comprising a processor and a memory. The SIM is designed 
such that it may be removed from one mobile telephone and inserted into another 
mobile telephone with which the user wishes to use her subscription. In GSM the 
SIM is used to protect the mobile network against fraudulent access and to ensure 
subscriber privacy. This is accomplished through authentication of the subscriber 
to prevent access of unregistered users, radio path ciphering, in particular 
ciphering of all subscriber information to prevent third party tapping, and 
subscriber identity protection to prevent subscriber location disclosure. 
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In order to protect information stored on computers, authentication 
mechanisms are used to verify that a user of a computer is an authorized user. 
Typical computer authentication mechanisms include a logon identification and a 
password. One way to increase the security of a computer system or network is to 
increase the number of characters in logon identifications and passwords. Further, 
some computer systems and networks require that the logon identification and 
password are changed on a regular basis, e.g., every three months. Computer 
users find it difficult to memorize long authentication codes every few months. 
Aa»rdingly, what is needed is a secure way for the user to authenticate a 
computer system without having to memorize a logon identification and password. 



SUMMARY 

These and other drawbacks and difficulties found in authentication systems, 
for example computer systems, are overcome according to the present invention. 

15 According to exemplary embodiments of the present invention, a SIM card 

contained in a mobile telephone is associated with a user's computer account using 
a secure technique which exchanges identification information between the 
computer and the SIM. When the mobile telephone is powered on, the user is 
required to enter a Personal Identification Number (PIN). When the user of a 

20 mobile telephone, who has entered the correct PIN comes into communication with 

a computer, the mobile telephone exchanges the identification information with the 
computer and, if the user is authorized, the user is automatically logged onto the 
computer. Accordingly, the user only needs to memorize a short PIN in order to 
perform the authentication needed to log onto a computer. 

25 In accordance with various embodiment described herein, the 

communication link between the computer and the mobile telephone can comprise 
a short-range wireless radio communications link, an infrared wireless 
communication link, or a cable connecting the computer and the mobile telephone. 
Alternatively, the communications link can be established when the mobile 
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telephone is inserted into a telephone battery charger located in proximity to the 
computer. 

Further, exemplary embodiments of the present invention provide a method 
of configuring the mobile telephone and the computer system so the computer 
system associates the user of the mobile telephone with a user name and password 
stored in the computer system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing objects, features and advantages of the present invention will 
be more readily understood upon reading the following detailed description in 
conjunction with the drawings in which: 

Figure 1 illustrates the authentication system according to an exemplary 
embodiment of the present invention; 

Figure 2 illustrates an exemplary method for configuration of the mobile 
telephone and the computer system; 

Figure 3 illustrates an exemplary database record for storage and retrieval 
of a SIM ID and public key associated with a particular subscriber; 

Figure 4 illustrates a exemplary arrangement which allows a mobile 
telephone to logon to a computer system of the present invention; and 

Figure 5 illustrates an exemplary method for logging on to a computer 
system using a mobile telephone. 



DETAILED DESCRTFTIQM 

In the following description, for purposes of explanation and not 
limitation, specific details are set forth, such as particular circuits, circuit 
components, and techniques, in order to provide a thorough understanding of the 
present invention. However, it will be apparent to one skilled in the art that the 
present invention may be practiced in other embodiments that depart from these 
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^deteiis. In orher instances, defied descriptions of we.l-taown tnethc-is, 
IL, and circuits are omitted so as no, to obscure » description of fite present 
invention. 

Tte exempt embodiments provide Ulustiative examples relating to 
^Ue te.ephon* which operate according to the GSM standard- However «hose 
s^ed in the art win appreciate ma, me concepts disclosed herein are equal., 
applicable to mobile telephones which opera, according to omer standard. 
Unwise, some of me exemplar, embodiment provide iltastiative examples 
relating SIM cards for providing subscriber identification information, however. 
fc techniques describe herein are etpaUy applicable to <*her methods of 
providing subscriber identified information in a mobUe telephone. 

Figure 1 illustrates an exemplary embodiment of die hardware which ts 

.e.ephone 110. SIM 120 provides intonation necessary for me mobtie tefcphooe 

t k'u notu/nrt When die mobile telephone 110 is powered 
110 to operate m the mobtie network, wnentneino r 

onth e user is prompted for a PIN which would allow me user «o operate ft. 

Tine. If tL PIN entered by tiK user matehes me PIN stored in SIM 120, men 

the user is able to operate mobile telephone 110. 

Computer 140 canbe any rype of computer such asa-Winte!" computer 

However, one skulod in me art will recognize ma, <he computer could a!so use 

e <r Cvrix or AMD. Motorola, and any 
processors made by any manufacturer, e.g., Lynx or 

le of operating system, e.g.. Unix and Apple's Macmtosh operating system^ 
^ly^Tuser to access the operating system and application ^ » 
a l ol computer ,40, tire user mns, be logged onto me computer 140. Typtc. 

elafogonidentificationandapassword. Once a user has enter the corre* 
log on identification and password the user will be logged onto me computer ,40. 
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In order for a user to implement the present invention, the computer system 
and the mobile telephone can be configured such that the user account or identity 
of mobile telephone 1 10 is associated with a user account or identity of the 
computer 140 (or a computer network). More specifically, SIM 120 will be 
associated with the account of a user of computer 140. According to an exemplary 
embodiment of the present invention, computer 140 runs Windows NT and the 
SIM can run programs written in the Java programming language. 

Figure 2 illustrates an exemplary method for configuration of the system. 
Accordingly, in step 205 the mobile telephone is set in a mode wherein 
information can be written into the SIM, e.g., the SAT configuration mode. 
According to an exemplary embodiment of the present invention, SIM 120 
contains a SIM application toolkit (SAT). SAT is a development environment 
incorporated in the GSM standard for writing programs which run on SIMs. To 
install the program which generates the public and private keys onto SIM 120, 
SIM 120 is inserted into smart card reader/writer 150. One skilled in the art will 
recognize that smart card reader/writer is only needed to install the programs 
which run on SIM 120, e.g., the program which generates public and private keys. 
Accordingly, to automatically logon to a PC according to the present invention 
does not require each computer to have a smart card reader/writer. The mobile 
telephone can be set in the SAT configuration mode by selecting the configure 
SAT option from the menu of functions available on the mobile telephone and by 
entering the correct PIN, i.e., an administrative PIN used for configuration of the 
mobile telephone. Alternatively, the PIN used for setting the mobile telephone in 
the SAT configuration mode may be the same PIN used to activate the mobile 
telephone. 

In step 210, the computer 140 generates a set of public and private keys. 
The public key is stored in an administrative database in computer 140, or in a 
computer network, in accordance with step 215. Figure 3 illustrates a purely 
exemplary database record for storage and retrieval of a SIM ID and public key 
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as^wnh a paries user. In step 220, the private key is stored on die SIM 

120 to ^d«»^P»«»^te^ <to,r,,, ^ beWte,,fl,e 
tnobUe telephone 110 and the computtr 140, are stored on the SIM 120, m 
accordances step 225. The various parameters are the numbers used tn the 

RSA algorithm, e.g., two prime numbers. 

Once the system has been configured to associa* the SIM wim one or more 
«, accounts/identities of the compmer system and me user of mobile telephone 
110 has entered the PIN inio the mobile telephone 1 10. the user may aummaticaUy 
log onto computer 140. Accordingly, the user will engage a communications In* 
between mobile telephone 110 and computer 140 to transfer audrentication/identny 
^formation there between. According to an exemplary embodiment, .he 
communicadon In* b*ween mobde telephone 110 and computer 140 is e*abltshed 
via short range radio communications technology such as -BluetootiV which ts 
described in "Bluetoom-Tne Universal Radio InKrface for Ad Hoc, Wtreless 
Connectivity' by laap Haarisen. Ericsson Review, No. 3. 1998. which is herem 
incorponued by reference. Of course those skilled in the art will apprectate .hat 
„ other type of communication link can be employed. According to me 
exemplary embodiment using "Blueuxtth". the user neod only emer an area wtdun 
tbe radio range of the co.np.uer for a communications link to be engaged between 
the mobile telephone and the compute, According to mis embodiment, computer 
MO. has a communicadon unit 130 anached to it, in order to communicate vta the 
short range radio communications. 

Figure 4 illustrates an exemplary arrangement which allows a mobde 
telephone user to logo, to a compact system acoording to the present invention. 
Computer 405 is running an operating system 450. wherein one of.be components 
of me operating system is resource manager 4,0. A smart card device dnver 415 
huerfaces between the operating system 450 running on computer 405. and SIM 
430 as illusuated in figure 4. In an exemplary embodiment, computer 140 ts 
J* an operating sysKm which uses Microsoft Smart Card Technology. 
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Microsoft Smart Card Technology is currently available for the following 
operating systems, Microsoft Windows 95, Windows 98, NT 4 and NT 5. 
Additionally, future versions of Microsoft operating systems are expected to 
support the Smart Card Technology. Smart Card Technology uses a resource 
manager to manage and control all applications access to the smart card. 
Microsoft Smart Card Technology is described in "Smart Cards White Paper", 
Microsoft Corporation, April 24, 1998, which is herein incorporated by reference. 
Although an exemplary embodiment of the present invention is described herein 
with reference to the Windows NT operating system, one skilled in the art will 
recognize that the present invention can be implemented using any type of 
operating system which has the ability, or can be modified, to communicate with 
smart cards. Device driver 415 and resource manager 410 are components of the 
Smart Card Technology. Accordingly, one skilled in the art will recognize that in 
other operating system environments, the operating system components responsible 
for logon will perform functions similar to those described herein with regard to 
the device driver 415 and the resource manager 410. Device driver 415 
communicates with mobile telephone 425 through communications link 420. 
Identification and authentication information are exchanged between SIM 430, via 
mobile telephone 425, and the computer 405, via device driver 415. Accordingly, 
device driver 415 translates information received from mobile telephone 425 into a 
form which is compatible with resource manager 410, and also translates data from 
resource manager 410 into a form which mobile telephone 425 can convey to SIM 
430. 

An exemplary method for logging onto a computer system using a SIM in a 
mobile telephone is illustrated in Figure 5. In step 510, one of the computer and 
the activated mobile telephone recognize a proximity to the other. According to 
one exemplary embodiment this is accomplished by the computer detecting a short 
range signal emitted by the mobile telephone. Alternatively, the mobile telephone 
can detect a short range signal emitted by the computer. In step 515, the computer 
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determines whether a mobile telephone has been found. If the computer does not 
find a mobile telephone, in accordance with the "NO" path out of decision step 
515, then the computer returns to step 510 to search for a mobile telephone. If * 
mobile telephone is found by the computer, in accordance with the "YES" path 
of decision step 515, then components of the smart card technology on the 
Windows NT computer sends an instruction to the mobile telephone to activate the 
authentication application in the SIM, in accordance with step 520. 

In step 525, the computer queries the mobile telephone using an AT 
command to determine whether the detected mobtte telephone has the capability of 
generating a digital signature and whether such capability has been activated in the 
mobile telephone. AT stands for attention, and AT commands are standard 
commands used for serial communication with computers. The digital signature is 
a string of bits which is produced by the RSA algorithm using the private key and 
a random string of bits. The digital signature is used to uniquely, and securely, 
identify the mobile telephone. According to an exemplary embodiment of the 
present invention, the mobile telephone will have an option on one of its menus to 
activate and deactivate the sending of a digital signature. If the digital signature 
capability is not activated, in accordance with the "NO" path out of decision step 
525, then the system returns to step 510 and the computer continues to search for 



20 mobile telephones 



If the digital signature capability has been activated by the mobile 
telephone, in accordance with the "YES" path out of decision step 525, then the 
smart card driver 415 sends an AT command to the mobile telephone requesting 
the SIM ID number, in accordance with step 530. After the SIM ID is returned 
from the mobile telephone to the computer, the smart card driver 415 notifies the 
resource manager 410 that a SIM card is inserted in the mobile telephone. The 
resource manager 410 notifies a graphical identification and authentication 
dynamic-link library (GINA) that a card is inserted, in accordance with step 550. 
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GINA allows developers to implement smart-card authentication mechanisms in 
place of the standard Windows NT user name and password authentication. 

In step 560, GIN A retrieves the authentication information from the SIM. 
Step 560 involves GINA calling the Crypto applications program interface 
(CryptoAPI), which results in data transfer between the card and the smart card 
driver. This data transfer involves the smart card driver sending (via a transceiver 
device connected to computer 405), a random pattern of bits to the SIM. This 
information can, for example, be stored in the SMS (short message service) 
memory of the mobile telephone. The SIM card in the mobile telephone encodes 
the random data using the RSA algorithm and with the private key. The coded 
data, i.e. , the digital signature, is sent back to the smart card driver. The 
encrypted random bits are decrypted by either the smart card driver or the 
CryptoAPI service provider using the SIM's public key. The decrypted random 
bits are compared to the transmitted random bits, in accordance with step 570. If 
the data matches then the user is logged onto the computer in accordance with step 
580. The logon procedure of step 580 is completed by GINA in cooperation with 
other components of the authentication system, e.g., LAN Security Architecture 
(LSA), Kerbos, Key Distribution Center (KDC). 

Although the description above describes logging onto a computer, one 
skilled in the art will recognize that the invention is equally applicable to logging 
onto computer networks or any device which requires authentication. Further, 
although communications unit 130 is shown as a separate peripheral from 
computer 140, one of ordinary skill in the art will recognize that communications 
unit 130 can be incorporated in a PC card design and mounted inside of computer 
140. In addition, although the exemplary embodiments describe the use of a PIN 
to activate the mobile telephone, the mobile telephone can also be activated by 
conventional voice activation systems. 

Although the exemplary embodiment is discussed wherein the 
communications link between computer 140 and mobile telephone 1 10 is a radio 
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communications link, the preset invention can be practiced with any type of 
^^^onstink between the computer and mobfle telephone. Accenting.,, 
te contentions link may be a cable adached between the two devices, e.g., an 
RS-232 cable. Alternatively, the communications link may be an MM link, i.e. , 
an infrared lmk whose standards are defined by the Infrared Data Associahon. 
According to an exemplary embodiment, the audtentication could be performed 
when .be mobile telephone 110 is inserted too a cradle which recharges the mobtle 
telephone's battery. In addition to being connected «o a power source, the cradle ,s 
connected to the computer through any of the various commumcanons lmks 
described herein. Additionally, when a user of the mobile telephone, who has 

logg ed onto a computer, moves out of range of the computer, the user may 
be automatically logged off of the computer. Alternatively, when tire mobde 
telephone moves out of range a password protected screen saver could be mmated 
to protect the computer users data. 

While the present invention has been described using the forgoing 
exemplar, embodiments, these embodiment are intended to be illustrative in all 
respects , rather than restrictive of the present invention. Thus, tire scope of tire 
present invention is instead set forth by the appended claims and encompasses any 
and all equivalents and modifications embraced thereby. 
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WHAT IS CLAIMED IS: 

1. A method for logging onto a computer comprising the steps of: 
establishing a communications channel between a mobile telephone and the 

computer; 

exchanging identification information between the mobile telephone and the 
computer; and 

logging a user of said mobile telephone onto the computer when the 
identification information is verified by the computer, 

2. A method in accordance with claim 1 , further comprising the steps of: 
entering a personal identification number when the mobile telephone is 

powered on; and 

activating the mobile telephone if the entered personal identification number 
matches a personal identification number stored on a subscriber identity module in 
said mobile telephone. 

3. A method in accordance with claim 1 comprising the step of 
associating the mobile telephone with the user of the computer. 

4. A method in accordance with claim 3, wherein said step of associating the 
mobile telephone comprises the steps of: 

setting the mobile telephone into a configuration mode; 
generating public and private keys; 
storing the public key in a database on said computer; and 
storing the private key and coding data on a smart card in said mobile 
telephone. 
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5. A method in accordance with claim 1 , wherein said step of establishing 
a communications channel comprises the steps of: 

searching c or a mobile telephone; and 

determine whether a digital signature capability is present in the mobile 
5 telephone and whether the digital signature capability has been activated in sa 1 d 
mobile telephone. 

6 . A method in accordance with claim 1. wherein the step of exchanging 
identification information comprises the steps of: 

10 retrieving an identification number associated with a smart card; 

ootUytag the computer mat the smart card is inserted in the mobile telephone; 

and 

narieving authentication information from said smart card. 

15 7. A method in accordance with claim 1, wherein the communications channel 

is a radio communications link. 

8. A method in accordance with claim 1, wherein the communications channel 
is an infrared link. 

20 9. A method in accordance with claim 1, wherein the communications channel 

is a cable connecting the mobile telephone and the computer. 

10 A method in accordance with claim 1 , wherein said communications 
M channel is established when the tnobue telephone is inserted imo a battery charger, 
and wherein said battery charger is connected to the computer via stud 
communications channel. 
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11. A system for logging onto a computer comprising: 
a mobile telephone; and 

a communications link between said mobile telephone and said computer, 
wherein a user of said mobile telephone is logged onto said computer through an 
authentication procedure which is performed over said communications link. 

12. A system according to claim 11, wherein said mobile telephone includes a 
subscriber identity module (SIM). 

13. A system according to claim 11, wherein said card is a smart card. 

14. A system according to claim 11, wherein said communications link is a 
radio communication link. 

15. A system according to claim 11, wherein said communications link is a 
cable connecting the mobile telephone and the computer. 

16. A system according to claim 11, wherein the authentication procedure 
involves the mobile telephone coding random bits transmitted from the computer, and 
wherein the mobile telephone transmits the encoded random bits to the computer. 

17. A system according to claim 16, wherein said mobile telephone codes the 
random bits using a private key, and wherein the computer decodes said encoded 
random bits using a public key. 

18. A method for automatically logging a mobile telephone user onto a 
computer network comprising the steps of: 

searching for a mobile telephone from a computer connected to said computer 
network; 
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detennining, by said computer, whether the mobile telephone has been set in 

an automatic logon mode; 

Cecktag, by said computer, an identification number of the mobile telephone; 
panning an aumenticaton procedure between the moMIe telephone art the 

5 computer. 

19 A method in accordance with claim 18, wherein the mobile telephone is 
se, in an automatic logon mode if a digital signature capability is presenr and is 
activated in the mobile telephone. 

10 20 A method in accordance wiflr claim 18, wherein the identification number 

^subscriber identification module number aored on a smart card in the mobde 
telephone. 

21. A method in accordance with claim 18 , wherein the step of checking an 
identification number of the mobile telephone comprises the step of : 

retrieving the identification number using an AT command. 

22. A method in accordance with claim 18, wherein the authentication 

20 procedure comprises the steps of: 

notifying an operating system component which is responsible for logon that a 

card is inserted in the mobile telephone; 

retrieving and analyzing authentication information from the card; and 
logging the user onto the computer if the authentication information is valid. 
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23. A method in accordance with claim 22, wherein the step of retrieving and 
analyzing authentication information comprises the steps of : 
sending a random string of bits to the mobile telephone; 
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encoding, in the mobile telephone, the random string of bits with a private 

key; 

returning the encoded random string of bits to the computer; and 
decoding, in the computer, the encoded string of bits using a public key. 

24. A method in accordance with claim 23, wherein the authentication 
information is valid when the string of bits decoded by the public key matches the 
random string of bit sent to the mobile telephone. 

25. A method in accordance with claim 18, wherein the computer and the 
mobile telephone exchange information through a wireless communication channel. 

26. A method in accordance with claim 25, wherein the wireless 
communication channel is a short range radio frequency channel. 

27. A method in accordance with claim 25, wherein the wireless 
communication channel is an infrared communications channel. 

28. A method in accordance with claim 18, wherein the computer and the 
mobile telephone exchange information through a cable. 

29. A method in accordance with claim 18, further comprising the step of: 
automatically logging the user off of the computer network when the mobile 

telephone is a predetermined distance from said computer, wherein the predetermined 
distance is a range of a radio signal produced by the computer. 

30. A method in accordance with claim 18, further comprising the step of: 
initiating a password protected screen saver on the computer when the mobile 
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telephone is a predetermined distance from said computer, wherein the predetermined 
distance is a range of a radio signal produced by the computer. 
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